Information Security Policy
Digital security is a shared responsibility for government to protect and maintain its modernized infrastructure. That’s why we have developed the Information Security Policy to work by and, when necessary, to seek out solutions if problems arise.
All government personnel are obliged to follow this policy, including employees, contractors, consultants, volunteers, and third-party organizations.
- About the Information Security Policy
- Who is Responsible?
- Why We Need an Information Security Policy?
- Policy Exemptions
The Information Security Policy describes our approach to securing data along with our many efforts to develop a work culture where all government employees are aware of security issues and are compliant with relevant government legislation.
This policy ensures all data stored, sent or received by government is protected from events which may impact confidentiality, integrity or access.
Supplemental to the B.C. government Core Policy and Procedures Manual, this policy provides the framework for government organizations to establish local policies and procedures necessary for the protection of information and technology assets for the Province of British Columbia.
The policy is based on the international standard ISO/IEC 27002:2013* Information Technology - Security Techniques - Code of practice for information security management. The Revision Summary highlights what is different in the current version 3.0, and the Comparison - ISP v2.2 and ISP v3.0 document provides a high-level outline of the changes between the two versions of the policy.
The Office of the Chief Information Officer is responsible for developing, communicating, and implementing the Information Security Policy across government, however, each ministry determines how to apply the policy to their business operations.
This policy was distributed to all ministries and remains in use across government today. The policy has also been shared with select vendors who work with the Province to identify new security requirements as needed.
Each ministry has a Ministry Information Security Officer who can answer general questions on protecting information specific to their ministry.
Consider this situation: a government employee receives important files on a portable storage device like a USB. Perhaps she received the USB from a trusted contractor or another ministry staff member. How is that employee to know if she can trust the quality of the files on that USB? Furthermore, once she connects the USB to her desktop computer, how can she know if her own system might be affected, or worse, infected with some of the common viruses in circulation today?
Information moves so quickly and from so many different sources – within and beyond our government offices - that our policy must cover a number of elements:
- how to protect government information.
- how to handle, reassign, or dispose of corrupted files.
- how to access the content of files on portable storage devices.
- how to respond to possible loss or breach if an incident is reported through the Information Incident Management Process.
In some cases, a business area is unable to comply with a policy or standard, or may need more time to adjust to a policy change. In this case an exemption needs to be requested.